Cybersecurity Risk Management 360 was held yesterday in Baltimore. The morning-long session was noteworthy in that the speakers represented the well-informed and technically literate allied sectors of cyber security: insurance, law, financial services, accounting, and consulting. In the audience were a wide range of businesses and other organizations, along with strong representation of cyber security product, service, and solution providers. The mix seemed appropriate to a business-centered consideration of cyber security as a risk management challenge.
Opening remarks by master of ceremonies Don Fry (President and CEO of the Greater Baltimore Committee) stressed the need for increased board-level and C-suite awareness and understanding of cyber security issues. He expressed the hope that considering them as risk management challenges would help bridge the gap between the technical and managerial worlds. He then turned the floor over to the day's panel, moderated by Ken McCreedy, Senior Director, Cybersecurity and Aerospace, Maryland Department of Commerce. The panel consisted of Valerie Corekin (CPCU, ARM, Vice President, Senior Risk Advisor-Risk Solutions Group, PSA Insurance and Financial Services), Jim Gfrerer (Americas Cybersecurity Executive Director, Ernst & Young LLP), Janet Horenberg (CPCU, CIC, CRM, Director, NFP Property & Casualty), and Keith Moulsdale (Partner, Whiteford Taylor & Preston).
A role for consulting.
Gfrerer opened discussion by describing the current-state and future-state cyber assessments EY conducts for its clients. He believes that clients need to "embed and understand risk." At higher maturity levels, he's found that many clients have Chief Risk Officers (although, he noted, some CEOs resist establishing a CRO because they don't wish to absolve other C-level executives from the sense that they're responsible for managing risk).
He observed that one consequence of the well-known shortage of skilled cyber security labor is that consultants find themselves helping their clients outsource many cyber security functions as they grapple with the challenges of protecting both company and customer privacy, and as they work to integrate IT, cyber, and operational systems.
Quantifying cyber risk.
Managing cyber risk requires being able to put a soundly quantified value on both data and tech assets, Corekin said. "Without a valuation, these just fall off the radar." And reducing risk (contrary to what many small businesses in particular seem to assume) involves much more than just backing up data.
She cited the World Economic Forum's framework for assessing value of data. That framework uses the concept—borrowed from the financial sector—of value-at-risk. There are, she said, a number of tools on offer for estimating value-at-risk, and some of the firms offering them were in attendance at the conference. She described the experience of using questionnaires to help estimate customers' value-at-risk: there's a big disconnect in VaR estimation between IT and executives. The executives tend to underestimate risk. She closed her remarks by cautioning the audience that most insurance policies don't cover cyber incidents. "Remember, you protect what you can value."
Transfering cyber risk.
Horenberg brought the perspective of her work in the cyber insurance market. She began by cautioning the audience about directors' and officers' exposure to liability in the cases of cyber-related incidents. Insurance, obviously, is an important way of transfering risk, but cyber insurance isn't as straightforward as other kinds of policies. "These are not standard insurance policies in any way," she said. "They're complex--you've got to work closely with your broker."
That said, everyone needs cyber insurance, in her view. A businesses cyber policies should cover not only hacking, but business interruption, liability from loss of data, slander, libel, media exposure, privacy violations, intellectual property loss, and so on. Horenberg noted that insurance companies also provide breach response services. She closed by pointing out that we're dealing with some big numbers when we consider cyber losses. She cited a case in which a $3.9M fine was assessed against an organization for losing an unencrypted laptop. Nor are notification expenses post-breach trivial, either: Ponemon estimates the cost per compromised record at $217, and that adds up quickly when a customer database is exposed.
The legal Rubik's Cube.
Moulsdale took up the legal obligations businesses have with respect to cyber. "Data security is like Rubik's Cube, with a different law on each of its faces." The laws that apply to you depend at the very least on location (of your business, of your employees, and of your data), the type of data your business holds, your sector, and your customers. There's relevant statutory law, and there are rules that set standards (for preparation and compliance, data destruction and retention, and so on). And there's also common law, which has a very long history with respect to expectations of privacy, but a very short history of dealing with the issues that arise in cyberspace. "We've got clever plaintiff's attorneys applying common law to online privacy." The other faces of this Rubik's Cube contain regulatory authorities (like the Federal Trade Commission), contract law, and industry practices.
McCreedy intervened to ask what steps businesses should take to deal with this complexity. Moulsdale said they start solving Rubik's Cube with some self-analysis ("take a selfie"). Then write and test policies. Establish and exercise a response plan. In dealing with your vendors, make sure you write contracts that flow responsibilities down to them. "If your vendor can't handle this, find another vendor." It's complicated but there's hope out there—Moulsdale thought the NIST Framework represents a good, generally accepted starting point.
What does cyber insurance cover?
At this point the panel took questions from the audience, the first of which asked about the scope of the incidents cyber insurance covered. The panelists explained that cyber insurance isn't confined to "hacks." It covers voluntary breaches by ill-intentioned or socially engineered insiders, device loss, dumpster diving, and so on. The insider threat, they were at pains to point out, is a very real one. It may not fit the classical conception of "hacking, but it definitely forms part of the threat landscape. Threats can also be complex and intertwined: many ransomware attacks, for example, are conducted primarily to mask other, more serious, forms of attack.
How can we encourage disclosure and cooperation?
A questioner asked, given the familiar saying that there are two kinds of companies—those who've been hacked and those who don't know they've been hacked—why we don't hear about more incidents. If they've all been breached, why aren't we seeing more disclosures? The panel noted that public companies are required to disclose material information, and that all businesses in the US are also governed by state laws. The states are steadily increasing their disclosure requirements ("they keep upping the ante"). Currently forty-seven states, the District of Columbia, Guam, and Puerto Rico, have disclosure and data protection laws.
But if, a questioner asked, the victims tend to get blamed in cases of cyber crime, how could we encourage more data sharing? The panelists again reminded the audience that regulations drive disclosure, and they generally agreed that, "You'd be shocked how many disclosures there are, and how few of them receive press attention." Actually, we are seeing increasing data sharing, even among competitors. The degree of collaboration and sharing has been surprising. A panelist recommended the insurance industry's Advisen as a good source of shared informaiton, and another noted the trend in the Federal Government toward more effective facilitation of data sharing.
What about record-keeping and incident response?
What about documentation of actual or potential breaches, a member of the audience asked? The panel thought there were pluses and minuses to documentation. Your best course of action in the event of a breach ("self-serving as this might sound," an attorney on the panel commented) is to first hire a lawyer, and then let the records fall, insofar as it's possible, under attorney-client privilege. And remember that the requirements in insurance policies may require a response—if you don't respond appropriately under the terms of your policy, you may invalidate that policy.
So, can you outsource your risk?
The final question dealt with outsourcing. When you outsource, do you keep your same insurance policy, or can you rely on the policies of the vendors to whom you outsource? The panel emphasized that your data belong to you, no matter where they are, no matter what cloud service helps hold them for you. Every company needs its own insurance, and you still need to have sound policies and procedures, and you still need to train your employees. You can't outsource this.
Final thoughts: aphorisms on cyber risk management.
In closing, the panel offered these thoughts. On risk: "People think it's never going to happen to them. Until an event occurs, we have a hard time getting their attention." On insurance: "You buy property insurance; why not cyber insurance? A cyber attack is more likely than a fire." On the quantification of risk: "It's important to communicate costs to small business—the costs of insurance, and the costs of potential incidents." And, finally, on change: "The number one thing that drives change is customers. If you lose a customer because you don't have adequate security, you've lost money."
Cybersecurity Risk Management 360 was jointly organized by the Cybersecurity Association of Maryland, the Chesapeake Regional Tech Council, the Greater Baltimore Committee, and the Maryland Department of Commerce.